607: Troubleshooting Methodology and Strategies
for XenMobile
Hands-on Lab Exercise Guide
Adolfo Montoya and Justin Maeder
May 2015
May 2015
| 1 |
Table of Contents Table of Contents ....................................................................................................................... 1
Overview .................................................................................................................................... 2
Scenario..................................................................................................................................... 5
Exercise 1: Initial Configuration of the XenMobile Server ........................................................... 6
Exercise 2: XenMobile Server Getting Started Wizard ..............................................................12
Exercise 3: Adding Worx Applications to XenMobile Server ......................................................21
Exercise 4: Configuring HDX Apps on XenMobile Server ..........................................................31
Exercise 5: Unable to Enroll iOS or Android Devices ................................................................35
Exercise 6: Unable to Navigate Intranet Sites ...........................................................................66
Exercise 7: Unable to Access Mail via WorxMail on iOS ...........................................................78
Exercise 8: Unable to Access Mail via WorxMail on Android ....................................................95
Exercise 9: Unable to Enumerate HDX Apps .......................................................................... 111
| 2 |
Overview
Hands-on Training Module
Objective
This training will provide hands-on experience with the following:
Initial/Basic configuration of XenMobile Server 10.0.
Fix integration of XenMobile Server with NetScaler Gateway.
Fix Microsoft SharePoint accessibility via WorxWeb.
Fix integration of XenMobile Server with HDX resources (e.g. Windows apps).
Prerequisites
Basic understanding of Web/SaaS/Mobile apps.
Familiarity with navigating the NetScaler Configuration Utility.
Basic understanding of http/https communication.
Basic understanding of networking concepts (IE: IP addressing and communication)
Install Worx Home app on the iOS or Android device.
Audience
Citrix Partners, Customers, Sales Engineers, Consultants, Technical Support.
Lab Environment Details
Describe the lab environment. The system diagram of the lab is shown below:
External access to common services (HTTP, SSL, SMTP, RDP, SSH, DNS) to simulate a
real production environment customized.
1 Active Directory namespace (e.g training.lab).
Pre-configured enterprise applications (Exchange & MSSQL).
Pre-configured NetScaler Gateway.
XenMobile Enterprise components (XenMobile Server, NetScaler Gateway, StoreFront and
XenDesktop).
| 3 |
The Student Desktop is accessed remotely using Citrix Receiver running on your laptop. All
windows applications such as XenCenter, (the XenServer GUI management tool), are accessed
from the Student Desktop.
Note: If you encounter the following message at any point during the lab exercises, click Restart
Later:
Lab Guide Conventions
This symbol indicates particular attention must be paid to this step
Special note to offer advice or background information
| 4 |
reboot Text the student enters or an item they select is printed like this
VMDemo Filename mentioned in text or lines added to files during editing
Start Bold text indicates reference to a button or object
Focuses attention on a particular part of the screen (R:255 G:20 B:147)
Shows where to click or select an item on a screen shot (R:255 G:102 B:0)
List of Virtual Machines Used
VM Name IP Address Description / OS
Site1-
AD.training.lab 192.168.10.11
Windows Server 2012 R2 Standard. Domain
controller for training.lab, DNS, DHCP services,
and license server.
Site1-DDC 192.168.10.40 Windows Server 2012 R2 Std. with XenDesktop
7.6 installed.
Site1-XMS1 192.168.10.20
XenMobile Server 10.0. Students will perform the
initial/basic XenMobile Server and configure apps,
policies, and delivery groups.
Site1-Exchange 192.168.10.15 Windows Server 2008 R2 with Exchange 2010
installed
Site1-NS1
NSIP=192.168.10.50
VIP=192.168.10.100
VIP=192.168.10.101
NS/AGEE 10.5. Students will perform steps to
integrate NetScaler Gateway with Citrix StoreFront
and XenMobile Server.
Site1-SharePoint 192.168.10.14 Windows Server 2008 R2 with SharePoint 2010
installed.
Site1-SQLServer
192.168.10.12
Windows Server 2012 Standard with SQL Server
installed.
Site1-VDA 192.168.10.205 Windows 8.1 Professional with XenDesktop VDA
installed.
Required Lab Credentials
The credentials required to connect to the environment and complete the lab exercises.
VM Name IP Address Password Description
Site1-AD.training.lab,
Site1-Win81Client,
Site1-DDC,
Site1-Exchange,
Site1-SharePoint,
Site1-SQLServer,
Site1-VDA
administrator Citrix123 Domain admin
Site1-NS1 nsroot nsroot NetScaler admin
| 5 |
Scenario You have been hired as a consultant to deploy a XenMobile Enterprise Edition for MobileTeX, Inc. in order to provide management of devices along with access to internal applications and data resources from any mobile device. Your task is to use the guidelines outlined below to implement a solution that meets the business needs.
Guidelines:
Architecture: The XenMobile Server should be installed and configured in the protected
LAN.
Security: NetScaler Gateway should front the XenMobile Server to provide a single point of
access.
Data: Company data should be available to employees internally and externally. This data
should be made publicly available and should only be accessed using read-only methods.
Users: End users should be able to browse internal sites securely.
| 6 |
Exercise 1
Initial Configuration of the XenMobile Server
Overview
Configuring the XenMobile Server is a two-part process. The initial configuration is done at the console of the server by configuring the new password, network settings (ie: IP address, subnet mask, default gateway), database location, and external FQDN. Once this is done, you connect to the Administration Console from a web browser to configure the basic configuration via the Start-up Wizard. In this lab, you will perform the initial configuration at the console of the XenMobile Titan server.
Step by step guidance
Estimated time to complete this lab: 10 minutes.
Step Action
1. Within XenCenter, double-click xenserver and enter the login credentials provided in
the lab site:
User name: admin
Password: (The XenServer credentials information is located in the lab site).
| 7 |
2. Select the Site1-XMS1 virtual machine and click the Console tab. You will notice that
the XenMobile Server is (in First Time Use mode).
Enter Citrix123 as the new password and hit Enter.
Re-enter Citrix123 as the new password and hit Enter.
3. Configure the following settings:
IP Address: 192.168.10.20
Netmask: 255.255.255.0
Default gateway: 192.168.10.1
Primary DNS server: 192.168.10.11
Secondary DNS server [optional]: Leave blank
Hit Enter to commit the settings.
| 8 |
4. The network settings are applied. Hit Enter to generate a random password to secure
server data.
5. Hit Enter to leave the FIPS mode disabled.
6. Next we will configure a remote database connection. Configure the following settings:
Local or remote [l/r]: r
Type (mi=Microsoft SQL, p=PostgreSQL) [mi]: mi
Use SSL: n
Server: 192.168.10.12
Port: 1433
Username: training\administrator
Password : Citrix123
Database name : DB_service
Accept the default y to commit the settings.
7. Hit Enter to enable Clustering on the XenMobile Server.
| 9 |
8. You are prompted for the XenMobile hostname.
Enter <IP2 FQDN> from your portal page.
Note: Your IP2 FQDN is available on the portal
page.
Example Only: 75-126-159-220.mycitrixtraining.net
Accept the default y to commit the settings.
9. Configure the following communication ports (Port listeners):
HTTP: 80
HTTPS with certificate authentication: 443
HTTPS with no certificate authentication: 8443
HTTPS for management: 4443
Accept the default y to commit the settings:
| 10 |
10. You are asked to use the same password for all certificates of the PKI.
Hit Enter to accept the default y.
Enter Citrix123 as the new password.
Re-enter Citrix123 as the password.
Hit Enter to accept the default y to commit the settings.
Note: This configuration is for all the Public Key Infrastructure (PKI) certificates. This step creates the device manager’s certificate authorities. If you intend to cluster XenMobile Server nodes, you will need to provide
identical passwords for subsequent nodes.
11. You are prompted to configure the XenMobile console administrator account.
Configure the account as follows:
Username: administrator (Hit Enter to accept the default)
Password: Citrix123
Re-enter new password: Citrix123
Hit Enter to accept the default y to commit the settings.
12. You are asked if this is an upgrade from a previous release. Hit Enter to accept the
default n.
| 11 |
13. Once initial installation is complete, the following prompt should be seen:
14. Congratulations, you have finished this lab exercise.
Exercise Summary
In this exercise, the student performed the initial configuration of the XenMobile Server. During the first time use, you configured the XenMobile Server networking information, FQDN, DNS Server, and connection to a remote SQL database.
| 12 |
Exercise 2
XenMobile Server Getting Started Wizard
Overview
In this exercise we will go through the XenMobile Server Getting Started wizard in order to configure licensing, NetScaler Gateway integration, authentication server settings and more. The applications and policies will be assigned to the delivery groups.
Step by step guidance
Estimated time to complete this lab: 10 minutes.
Step Action
1. Minimize the Citrix XenCenter console.
2. On the taskbar, launch Chrome browser.
3. To access the XenMobile web management console, click the XenMobile Server
bookmark.
4. At the Certificate warning prompt, click Proceed to 192.168.10.20 (unsafe).
| 13 |
5. Login with the following credentials:
Username: administrator
Password: Citrix123
Click Sign in.
6. The Get Started wizard is displayed. Click Start to begin the configuration wizard.
| 14 |
7. The Initial Configuration window is displayed.
Click Next to accept the default licensing configuration.
8. On the SSL Certificate page, click Import.
| 15 |
9. Configure the following settings:
Import: Keystore
Keystore type: PKCS#12
Use as: APNs
Keystore file: APNS.pfx (Browse to \\Ad\Software\Certificates)
Password: Citrix123
Click Import.
Note: At the Windows Security prompt, enter the domain administrator credentials.
Username: training\administrator
Password: Citrix123
| 16 |
10. A confirmation window pops up.
Click OK.
11. Click Import again.
Configure the following settings:
Import: Keystore
Keystore type: PKCS#12
Use as: SSL Listener
Keystore file: MCTWildcard.pfx (Browse to \\Ad\Software\Certificates)
Password: Citrix123
| 17 |
12. A confirmation window pops up.
Click OK.
13. Both APNs and SSL Listener certificates are displayed.
Click Next.
| 18 |
14. Click Next. You are prompted to configure NetScaler Gateway.
Configure the following settings:
Name: NSG
Alias: leave blank
External URL: https:<IP1 FQDN>
Logon Type: Domain only
Password Required: On
Set as Default: On
Note: Your IP1 FQDN is available on the portal
page.
Example Only: 75-126-159-219.mycitrixtraining.net
Click Next.
| 19 |
15. The LDAP Configuration page is displayed. Configure the following settings:
Primary Server: 192.168.10.11
Port: 389 (Default)
Domain name: training.lab
Userbase DN: dc=training,dc=lab (auto-filled in)
Group base DN: dc=training,dc=lab (auto-filled in)
User ID: [email protected]
Password: Citrix123
Domain alias: training.lab
Use search by: userPrincipalName (Default)
Click Next.
16. Click Next to skip the Notification Server configuration.
17. Click Finish on the Summary page.
| 20 |
18. The initial configuration is complete. Click Start Managing Apps and Devices.
19. In XenCenter, select the Site1-XMS1 virtual machine.
Click Reboot to reboot the server.
20. Wait until the XenMobile Server is back up before continuing with the next exercise.
21. Congratulations, you have finished this lab exercise.
Exercise Summary
The Getting Started wizard walks you through the configuration process for licensing, certificates, NetScaler Gateway & LDAP settings for the XenMobile Server.
| 21 |
Exercise 3
Adding Worx Applications to XenMobile Server
Overview
In this exercise students will add and configure MDX-wrapped WorxWeb & WorxMail apps for iOS
and Android in the XenMobile Server.
Step by step guidance
Estimated time to complete this lab: 10 minutes.
Step Action
1. Browse to http://bit.ly/Worx-Apps and download the WorxApps.zip file. This file includes all of the MDX applications for Android and iOS.
Extract the file to the Desktop.
2. If not open, launch the Chrome browser and click the XenMobile Server bookmark.
3. At the Certificate warning prompt, click Proceed to 192.168.10.20 (unsafe).
| 22 |
4. Login with the following credentials:
Username: administrator
Password: Citrix123
Click Sign in.
5. To configure applications in XenMobile Server, go to Configure > click Apps.
6. Click Add.
| 23 |
7. At the Add App prompt window, click MDX.
8. Let’s add the WorxWeb MDX-wrapped app.
Click Add.
9. At the Add App prompt window, click MDX.
| 24 |
iOS Android
10. In the App Information page, enter the
following information:
Name: WorxWeb
Description: blank
App category: Default
Click Next.
In the App Information page, enter the
following information:
Name: WorxWeb
Description: blank
App category: Default
Click Next.
11. Uncheck Windows Phone.
Uncheck Windows Phone.
| 25 |
12. For iOS MDX apps, click Upload.
Browse to the Desktop and select
WorxWeb.mdx in the WorxApps\iOS folder.
For Android MDX apps, click Upload.
Browse to the Desktop and select
WorxWeb.mdx in the WorxApps\Android
folder.
13. In the MDX policies section, scroll down to
Network Access and select Tunneled to
the internal network.
In the MDX policies section, scroll down to
Network Access and select Tunneled
to the internal network.
14. Scroll down to the Application Settings
section and enter the following parameters:
Preloaded bookmarks:
Training,SharePoint,http://sp.tra
ining.lab,Training,Office Mail,
https://mail.training.lab/owa
Home page URL: www.citrix.com
Scroll down to the Application Settings
section and enter the following
parameters:
Preloaded bookmarks:
Training,SharePoint,http://sp.t
raining.lab,Training,Office
Mail,
https://mail.training.lab/owa
Home page URL: www.citrix.com
15. Click Next to bypass Approvals.
| 26 |
16. Select AllUsers delivery group.
Click Save.
17. Verify the WorxWeb app has been added.
18. Now let’s add the WorxMail MDX-wrapped app.
Click Add.
| 27 |
19. At the Add App prompt window, click MDX.
iOS Android
20. In the App Information page, enter the
following information:
Name: WorxMail
Description: blank
App category: Default
Click Next.
In the App Information page, enter the
following information:
Name: WorxMail
Description: blank
App category: Default
Click Next.
| 28 |
21. Uncheck Windows Phone.
Uncheck Windows Phone.
22. For iOS MDX apps, click Upload.
Browse to the Desktop and select
WorxMail.mdx in the WorxApps\iOS folder.
For Android MDX apps, click Upload.
Browse to the Desktop and select
WorxMail.mdx in the WorxApps\Android
folder.
23. In the MDX policies section, scroll down to
Network Access and select Tunneled to
the internal network.
In the MDX policies section, scroll down to
Network Access and select Tunneled
to the internal network.
| 29 |
24. Scroll down to the Application Settings
section and enter the following parameters:
Background network services:
mail.training.lab:443
Background network service gateway:
ag.domain.lab:443
Accept all SSL certificates:
ON
Scroll down to the Application Settings
section and enter the following
parameters:
Background network services:
mail.training.lab:443
Background network service gateway: :
<IP1 FQDN>:443
Accept all SSL certificates:
ON
25. Click Next to bypass Approvals.
26. Select AllUsers delivery group.
Click Save.
| 30 |
27. Verify that both WorxMail and WorxWeb apps have been added.
28. Congratulations, you have finished this lab exercise.
Exercise Summary
In this exercise students had the opportunity to add and configure MDX-wrapped WorxWeb mobile
application for iOS or Android devices. The configuration done on WorxWeb allow the student
navigate internal/external Web resources.
Please note that some of the configuration conducted earlier is erratic (on purpose). This will allow
us later go through the troubleshooting phase and investigate what’s wrong where and fix it.
| 31 |
Exercise 4
Configuring HDX Apps on XenMobile Server
Overview
In this exercise students will configure the XenMobile Server with StoreFront 2.6 to access HDX
apps (e.g. Windows apps/desktops).
Please note that some of the configuration that would be conducted is erratic (on purpose). This will
allow us later go through the troubleshooting phase and investigate what’s wrong where and fix it.
Step by step guidance
Estimated time to complete this lab: 10 minutes.
Step Action
1. If not open, launch the Chrome browser and click the XenMobile Server bookmark.
2. At the Certificate warning prompt, click Proceed to 192.168.10.20 (unsafe).
| 32 |
3. Login with the following credentials:
Username: administrator
Password: Citrix123
Click Sign in.
4. To configure HDX apps within XenMobile Server, go to Configure > click Settings.
| 33 |
5. Click More and select XenApp/XenDesktop.
6. Enter the following parameters:
Host: 192.168.10.40
Port: 80
Relative Path: /Citrix/Store/PNAgent/config.xml
Use HTTPS: Off
Click Save.
7. Congratulations, you have finished this lab exercise.
| 34 |
Exercise Summary
In this exercise students configured XenMobile Server with StoreFront to publish HDX Apps (e.g.
Windows apps/desktops) for mobile users.
As a reminder, XenMobile Server version 10 no longer supports StoreFront being in front of
XenMobile. Instead, XenMobile Server needs to contact the StoreFront (or Web Interface) server
using the PNAgent services site (e.g. /PNAgent/config.xml).
Please note that some of the configuration conducted earlier is erratic (on purpose). This will allow
us later go through the troubleshooting phase and investigate what’s wrong where and fix it.
| 35 |
Exercise 5
Unable to Enroll iOS or Android Devices
Overview
In this exercise students will try to enroll their iOS or Android device against the XenMobile Server.
Students will notice that the enrollment process is partially successful but they are unable to access
the application store (e.g. Worx Store).
For this use case, the NetScaler Gateway has been pre-configured. Some of the settings are
correct and some are wrong. As part of the troubleshooting process, students will go through a
series of steps to determine what’s wrong with the current environment and find a resolution.
Note: Be sure to have a fresh installation of the Worx Home app on the iOS or Android device. In
addition, make sure your mobile device is NOT enrolled with any other XenMobile environment.
Step by step guidance
Estimated time to complete this lab: 45 minutes.
iOS Android
1. Launch Worx Home app.
Launch Worx Home app.
| 36 |
2. At prompt, enter the <IP2 FQDN> as listed in
the lab site.
At prompt, enter the <IP2 FQDN> as listed in the
lab site.
3. Tap Yes at the prompt.
Tap Yes at the prompt.
Tap Activate.
| 37 |
4. At prompt, enter User1 credentials in UPN
format:
Username: [email protected]
Password: Citrix123
Tap Sign On.
At prompt, enter User1 credentials in UPN format:
Username: [email protected]
Password: Citrix123
Tap Sign On.
Skip to Step 11.
| 38 |
5. As part of the enrollment process, we need to install the required profiles on the iOS device to allow
IT Admins send notifications, apps, revoke the device and more device management features.
Tap Install.
6. At the Warning prompt, tap Install.
| 39 |
7. At the prompt to install the XenMobile Profile Service, tap Install.
8. At the Warning prompt, tap Install.
| 40 |
9. At the Remote Management prompt, tap Trust.
10. Tap Done.
| 41 |
11. Once the profile is installed, do you notice any
errors before reaching the Worx Store?
Do you notice any errors before reaching the
Worx Store?
12. Let’s find out if the mobile device got enrolled with XenMobile.
Go to the Chrome browser and navigate to the XenMobile Server web management console.
13. Go to the Manage > click Devices.
| 42 |
14. Do you see the iOS or Android device enrolled?
Indeed!
This quick verification rules out any misconfiguration between NetScaler and the MDM load
balancer for XenMobile Server.
But what about the MAM access?
15. Since we know enrollment is working fine, let’s try to bypass the MDM enrollment process and
connect directly to the Worx Store.
To do this, we need to remove any previously installed profiles by XenMobile Server to the mobile
device.
| 43 |
16. iOS Only: Go to the Settings > General > tap Profiles & Device Management.
Remove both MDM Configuration and XenMobile CA profiles.
Android Only: Go to the Settings > Security > Device Administrators > deselect Worx
Home.
Once Worx Home is deactivated, re-install Worx Home on the Android device.
| 44 |
17. Next, double press the Home button on the
iOS device and kill the Worx Home app.
Once Worx Home is deactivated, we need to re-
install Worx Home on the Android device.
18. Launch the Worx Home app and let’s
configure it to bypass the enrollment process
altogether.
Launch the Worx Home app and let’s configure it
to bypass the enrollment process altogether.
19. At prompt, enter the <IP1 FQDN> as provided
in the lab portal page.
At prompt, enter the <IP1 FQDN> as provided in
the lab portal page.
| 45 |
20. At prompt, enter User1 credentials in UPN
format.
Username: [email protected]
Password: Citrix123
Tap Sign On.
At prompt, enter User1 credentials in UPN format.
Username: [email protected]
Password: Citrix123
Tap Sign On.
| 46 |
21. Do you notice any errors?
Do you notice any errors?
22. Now that we now something is wrong when accessing the Worx Store, let’s check if there is
anything wrong with the NetScaler Gateway.
Remember, at this stage we see a failure AFTER submitting user credentials. Hence, we know that
Worx Home can contact the NetScaler Gateway properly via SSL (443).
The following questions may arise:
- Is the NetScaler able to validate the user credentials?
- Can the NetScaler contact the XenMobile Server? (Note: We partially know this answer.
Remember during the enrollment stage, the NetScaler was able to contact the XenMobile
Server for MDM purposes.)
- Is DNS properly configured between NetScaler and XenMobile Server?
- Is the Worx Home policy properly bound and configured?
Let’s answer these questions by using some of the built-in tools in NetScaler.
23. First, let’s validate if the NetScaler can validate the user credentials.
Go to the desktop and launch mRemoteNG.
This application will allow us to remotely connect to multiple VMs within the environment.
| 47 |
24. Go to the Connections tab double-click NS 1.
This launches an SSH connection to the NetScaler.
25. Next, run shell and hit Enter.
26. Run the following command to check in real-time if the user credentials are valid or not.
root@ns# cat /tmp/aaad.debug
Hit Enter.
27. Go back to the mobile device and kill the Worx Home app.
We are going to re-enter the <IP1 FQDN> and User1 credentials.
Before taping Sign On, pay close attention to the SSH session.
28. The few lines you should expect to see something similar like this:
/usr/home/build/tagma_54/usr.src/netscaler/aaad/ldap_drv.c[761]: receive_ldap_user_bind_event Bind OK.
Mon Jan 5 17:50:43 2015
/usr/home/build/tagma_54/usr.src/netscaler/aaad/naaad.c[2932]: unregister_timer releasing timer 13
Mon Jan 5 17:50:43 2015
/usr/home/build/tagma_54/usr.src/netscaler/aaad/naaad.c[1965]: send_accept sending accept to kernel for : [email protected]
This message tells us that the validation process was successful. Therefore, we can disregard any
issues between NetScaler and LDAP queries made to Active Directory.
To stop the AAA debug tool from running in the SSH session, press Ctrl + C simultaneously.
| 48 |
29. Next step is to validate that the NetScaler can indeed contact the XenMobile Server successfully.
Again, we already know that the enrollment (MDM) process worked successfully.
Let’s check if the DNS is properly set such that the NetScaler can communicate with the MAM
process of the XenMobile Server.
Remember that as part of the new requirement for XenMobile 10, NetScaler will contact an internal
load balancing vserver for MAM purposes using the XenMobile Server hostname. This hostname
record must exist on the NetScaler.
30. Go back to mRemoteNG to the SSH session against the NetScaler (e.g. NS 1).
Inside the shell, type the following command:
dig <IP2 FQDN> and hit Enter.
This will allow us to know if the NetScaler can resolve the XenMobile Server hostname.
Example of command:
root@ns# dig 75-126-159-220.mycitrixtraining.net
31. Do you notice something missing the summary?
; <<>> DiG 9.8.4-P2 <<>> 75-126-159-220.mycitrixtraining.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49547
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;75-126-159-220.mycitrixtraining.net. IN A
;; AUTHORITY SECTION:
mycitrixtraining.net. 3600 IN SOA ad.training.lab. hostmaster.training.lab. 3 900 600 86400 3600
;; Query time: 1 msec
;; SERVER: 127.0.0.2#53(127.0.0.2)
;; WHEN: Mon Jan 5 18:11:03 2015
;; MSG SIZE rcvd: 135
32. Indeed! There is no IP address returned!
Let’s verify if the A record indeed does not exist.
Before running this command, we need to exit from the NetScaler shell.
Type exit and hit Enter.
| 49 |
33. Next, type the following command to verify if the A DNS record exist:
> show dns AddRec <IP2 FQDN>
Example of command:
> show dns AddRec 75-126-159-220.mycitrixtraining.net
34. What do you get in return? (Check the highlighted area).
> show dns AddRec 75-126-159-220.mycitrixtraining.net
ERROR: Address record for host name not available
35. This confirms that the DNS A record does not exist on the NetScaler.
This DNS A record is an important piece of integration between NetScaler and XenMobile Server.
But before we can generate the DNS A record on the NetScaler, we need to find out what is the
load balancing IP (e.g. VIP) used in this broken configuration for MAM purposes.
36. In the SSH session, type the following command:
> show lb vserver _XM and hit Tab twice.
This should display all the load balancing vservers created in this configuration related to
XenMobile.
> show lb vserver _XM_
_XM_LB_MDM_XenMobileMDM_192.168.10.101_443 _XM_LB_MDM_XenMobileMDM_192.168.10.101_8443
_XM_MAM_LB_192.168.1.1_8443
37. The load balancing vserver that we are interested is the MAM one.
In the SSH session type:
> show lb vserver _XM_MAM_LB_192.168.1.1_8443 and hit Enter.
| 50 |
38. The following is returned and check the highlighted areas:
> show lb vserver _XM_MAM_LB_192.168.1.1_8443
_XM_MAM_LB_192.168.1.1_8443 (192.168.1.1:8443) - SSL Type: ADDRESS
State: DOWN[Certkey not bound]
Last state change was at Fri Jan 2 15:27:28 2015
Time since last state change: 3 days, 08:04:50.790
Effective State: DOWN
Client Idle Timeout: 180 sec
Down state flush: ENABLED
Disable Primary Vserver On Down : DISABLED
Appflow logging: ENABLED
No. of Bound Services : 1 (Total) 1 (Active)
Configured Method: LEASTCONNECTION
Rule: HTTP.REQ.COOKIE.VALUE("ACNODEID")
Mode: IP
Persistence: CUSTOMSERVERID Persistence Timeout: 2 min
Vserver IP and Port insertion: OFF
Push: DISABLED Push VServer:
Push Multi Clients: NO
Push Label Rule: none
L2Conn: OFF
Skip Persistency: None
IcmpResponse: PASSIVE
RHIstate: PASSIVE
New Service Startup Request Rate: 0 PER_SECOND, Increment Interval: 0
Mac mode Retain Vlan: DISABLED
DBS_LB: DISABLED
Process Local: DISABLED
Traffic Domain: 0
Bound Service Groups:
1) Group Name: _XM_SVC_GRP_MAM_
1) _XM_SVC_GRP_MAM_ (192.168.10.20: 8443) - SSL State: UP Weight: 1
Done
>
| 51 |
39. If you paid close attention, we found two things:
1. We figured out the virtual IP address (VIP) for the MAM load balancing vserver. In this case
is 192.168.1.1 and listening on port 8443.
2. Another interesting point is that there is no SSL certificate bound to this virtual server! The
fact that SSL Offload is being used for MAM, we must bind an SSL certificate.
40. First, let’s create the DNS A record on the NetScaler.
Minimize the mRemoteNG console.
Go to Chrome browser and click the NetScaler bookmark.
41. Login to the NetScaler management console with the default credentials:
Username: nsroot
Password: nsroot
42. Before creating the DNS (A) record, let’s flush any cached DNS records from the NetScaler.
Go to Traffic Management > DNS > Records > click Flush Proxy Records.
Click OK.
| 52 |
43. In the Configuration tab, go to Traffic Management > DNS > Records > click Address
Records.
44. Click Add.
| 53 |
45. Enter the following parameters:
Host Name: <IP2 FQDN>
IP Address: 192.168.1.1
Click Create.
Note: Your IP2 FQDN is available on the portal
page.
Example Only: 75-126-159-220.mycitrixtraining.net
46. Verify the record has been added.
| 54 |
47. Next, we need to bind the SSL certificate to the load balancing virtual server for MAM.
In the NetScaler management console, go to Traffic Management > Load Balancing > click
Virtual Servers.
48. Select the MAM load balancing virtual server and click Edit.
49. Click SSL Certificate.
| 55 |
50. Click on the No Server Certificate message.
51. To select the SSL certificate, click to select.
52. Select the Wildcard.mycitrixtraining.net SSL certificate.
Click OK.
| 56 |
53. Click Bind.
54. Click Done.
55. Verify that all load balancing virtual servers are UP.
56. Click Save.
57. Let’s now test and verify if this configuration works.
First, we will test the MAM access only (bypassing enrollment) to ensure access to Worx Store is
fixed.
| 57 |
iOS Android
58. Kill the Worx Home app. Kill the Worx Home app.
59. Launch Worx Home. At prompt, enter the
<IP1 FQDN> from the lab portal.
Launch Worx Home. At prompt, enter the <IP1
FQDN> from the lab portal.
60. At prompt, enter User1 credentials in UPN
format.
Username: [email protected]
Password: Citrix123
Tap Sign On.
At prompt, enter User1 credentials in UPN format.
Username: [email protected]
Password: Citrix123
Tap Sign On.
| 58 |
61. Do you see an error pop-up?
Do you see an error pop-up?
62. Indeed! There is something else missing in this configuration.
Let’s investigate if the correct Session Policy is being hit by NetScaler.
To verify this, we will use the SSH session in mRemoteNG console.
63. Restore the mRemoteNG console window and restore the SSH session to the NetScaler by double-
clicking NS 1.
64. Type shell and hit Enter.
| 59 |
65. Next, type the following command to witness in real-time the policies being hit when a user attempts
to connect to the NetScaler Gateway vserver:
root@ns# nsconmsg -d current -g pol_hits
iOS Android
66. Go back to the mobile device and kill the
Worx Home app.
Go back to the mobile device and kill the Worx
Home app.
67. Launch Worx Home. At prompt, enter the
<IP1 FQDN> from the lab portal.
Launch Worx Home. At prompt, enter the <IP1
FQDN> from the lab portal.
| 60 |
68. At prompt, enter User1 credentials in UPN
format.
Username: [email protected]
Password: Citrix123
Tap Sign On.
At prompt, enter User1 credentials in UPN format.
Username: [email protected]
Password: Citrix123
Tap Sign On.
69. Once you receive the error in Worx Home, go
back to the SSH session to check what
policies were hit.
Once you receive the error in Worx Home, go back
to the SSH session to check what policies were
hit.
70. The policy we are interested is this one - PL_OS_192.168.10.100.
If you notice, this policy was hit successfully but there is something wrong with it since we cannot
access the Worx Store.
71. In the SSH session, click Ctrl + C to exit the real-time monitoring of policies.
72. Next, type exit to exit the shell.
| 61 |
73. So far, we know that the PL_OS_192.168.10.100 session policy is being hit by Worx Home. But
let’s find out what is the Session Profile taking effect.
In the SSH session, type show runningconf | grep “PL_OS_” and hit Enter.
Example of command and result:
> show runningconf | grep "PL_OS_"
add vpn sessionPolicy PL_OS_192.168.10.100 "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER
X-Citrix-Gateway EXISTS" AC_OS_192.168.10.100_A_
bind vpn vserver _XM_XenMobileGateway -policy PL_OS_192.168.10.100 -priority 100
>
74. Check the highlighted area.
That is the Session Profile being used by this particular session policy for Worx Home.
75. Next, let’s check what profile settings are taking effect.
Type the command show runningconf | grep "AC_OS_" and hit Enter.
Example of result:
add vpn sessionAction AC_OS_192.168.10.100_A_ -splitDns BOTH -sessTimeout 1440 -splitTunnel OFF -transparentInterception ON -
defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy OFF -ClientChoices OFF -forcedTimeout 1440 -
clientlessVpnMode ON -clientlessModeUrlEncoding TRANSPARENT -SecureBrowse ENABLED -storefronturl
"https://xm.training.lab:8443"
add vpn sessionPolicy PL_OS_192.168.10.100 "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER
X-Citrix-Gateway EXISTS" AC_OS_192.168.10.100_A_
>
76. Take a close look at the highlighted area.
The parameter storefronturl is the same as the Account Services URL when accessing the Web
GUI console.
Does this URL looks right?
Of course not! This URL has to match exactly with the XenMobile Server hostname.
77. To quickly fix this, let’s run the following command to set the correct parameter value.
Type the command set vpn sessionAction AC_OS_192.168.10.100_A_ -
storefronturl "https://<IP2 FQDN>:8443"
Example of command:
> set vpn sessionAction AC_OS_192.168.10.100_A_ -storefronturl "https://75-126-159-220.mycitrixtraining.net:8443"
Done
Note: It is very important to include the :8443 port number. This is the port the XenMobile Server
uses for the MAM services.
| 62 |
78. Are we done? Not so fast!
There are a few more edits to make. These are:
- The App Controller URL
- The Clientless Access Domains
Check it out for yourself by running the command show runningconf | grep
"xm.training.lab"
Example of results:
bind policy patset ns_cvpn_default_inet_domains xm.training.lab:8443 -index 2
bind vpn vserver _XM_XenMobileGateway -appController "https://xm.training.lab:8443"
Note: The other session policies for Receiver for Web and NetScaler Gateway plug-in are not
relevant for this troubleshooting session. You are more than welcome to fix them but it is not
necessary.
79. Let’s fix the clientless access domain with the correct hostname.
Type the following command to add a new pattern set:
bind policy patset ns_cvpn_default_inet_domains <IP2 FQDN>:8443 -index 3
and hit Enter.
Example of command and result:
> bind policy patset ns_cvpn_default_inet_domains 75-126-159-220.mycitrixtraining.net:8443 -index 3
Done
>
80. Finally, let’s fix the AppController URL parameter. First, we need to unbind the wrong value.
Type the following command:
unbind vpn vserver _XM_XenMobileGateway -appController
"https://xm.training.lab:8443" and hit Enter.
81. Next, bind the correct value to the AppController parameter.
Type the following command:
bind vpn vserver _XM_XenMobileGateway -appController "https://<IP2
FQDN>:8443"
Example of command and result:
> bind vpn vserver _XM_XenMobileGateway -appController "https://75-126-159-220.mycitrixtraining.net:8443"
Done
>
82. To save all the changes made so far, type save conf and hit Enter.
83. Finally, let’s do some testing!
| 63 |
iOS Android
84. Kill the Worx Home app in the mobile device. Kill the Worx Home app in the mobile device.
85. Launch Worx Home. At prompt, enter the
<IP1 FQDN> from the lab portal.
Launch Worx Home. At prompt, enter the <IP1
FQDN> from the lab portal.
| 64 |
86. At prompt, enter User1 credentials in UPN
format.
Username: [email protected]
Password: Citrix123
Tap Sign On.
At prompt, enter User1 credentials in UPN format.
Username: [email protected]
Password: Citrix123
Tap Sign On.
| 65 |
87. Are you able to access the Worx Store?
If no, that means there is a typo somewhere in
the previous commands executed.
Otherwise, you should be able to access the
Worx Store and see the WorxWeb and
WorxMail apps.
Are you able to access the Worx Store?
If no, that means there is a typo somewhere in the
previous commands executed.
Otherwise, you should be able to access the Worx
Store and see the WorxWeb and WorxMail apps.
88. Do not sign off. We will continue the current session in the next exercise.
Minimize the mRemoteNG console window.
89. Congratulations, you have finished this lab exercise.
Exercise Summary
In this exercise students had the opportunity to test the XenMobile deployment using their iOS or
Android device and access MDX-wrapped apps.
As part of the troubleshooting process, NetScaler built-in tools were utilized to narrow down the
issue and fix it. Issues such as DNS, wrong hostname values and missing SSL certificates are
common and easily to omit when deploying a XenMobile solution.
| 66 |
Exercise 6
Unable to Navigate Intranet Sites
Overview
In this exercise students will install WorxWeb mobile app in their iOS or Android device and attempt
to access Intranet sites.
Please note that some of the configuration previously conducted was erratic (on purpose). This will
allow us later go through the troubleshooting phase and investigate what’s wrong where and fix it.
Step by step guidance
Estimated time to complete this lab: 30 minutes.
Step Action
iOS Android
1. Inside Worx Store, download and install
WorxWeb app.
Inside Worx Store, download and install
WorxWeb app.
| 67 |
2. Tap Install.
Tap Install.
3. Once installed, launch WorxWeb.
Tap Trust at the prompt.
If you are unable to install WorxWeb, make
sure to check if the Unknown Sources is
checked on Android.
| 68 |
4. The Citrix.com homepage should come
up successfully.
The Citrix.com homepage should come up
successfully.
5. Tap the bookmarks.
Tap the bookmarks.
6. Tap Favorites > tap Training.
Tap Favorites > Tap Training.
7. Tap SharePoint. Tap SharePoint.
| 69 |
8. Do you witness a delay? Did an error pop-
up?
Do you witness a delay? Did an error pop-
up?
9. Indeed!
What could be the root cause?
Let’s try to test the other bookmark,
Office Mail.
Indeed!
What could be the root cause?
Let’s try to test the other bookmark, Office
Mail.
10. Do you see any errors?
Do you see any errors?
| 70 |
11. No errors witnessed.
This narrows down the issue to only SharePoint.
Here is what we know:
- WorxWeb can access Internet sites (e.g. Citrix.com)
- WorxWeb can also access Intranet sites (e.g. Office Mail)
The fact that we are leveraging WorxWeb and tunneling all the traffic to the NetScaler, we
need to find out how is the NetScaler handling the requests to SharePoint on-behalf of the
mobile device.
12. First, let’s find out if the NetScaler can resolve the name of the SharePoint site (e.g.
sp.training.lab).
13. Go to the mRemoteNG console window and re-establish the SSH session with NS 1.
14. Type shell and hit Enter.
15. Type the following command to check if the NetScaler can resolve the SharePoint URL.
dig sp.training.lab and hit Enter.
| 71 |
16. This is what is expected:
root@ns# dig sp.training.lab
; <<>> DiG 9.8.4-P2 <<>> sp.training.lab
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4465
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;sp.training.lab. IN A
;; ANSWER SECTION:
sp.training.lab. 3600 IN A 192.168.10.140
;; Query time: 1 msec
;; SERVER: 127.0.0.2#53(127.0.0.2)
;; WHEN: Mon Jan 5 23:03:01 2015
;; MSG SIZE rcvd: 49
17. Take a closer look at this IP address returned for SharePoint. Is this the correct address
listed in Page 4 (under the VMs table)?
| 72 |
18. Correct! It is not the correct IP address.
Go to the mRemoteNG console > Connections > double-click AD. This is the VM that
hosts the DNS service.
19. On the desktop, double-click DNS.
20. Expand the Forward Lookup Zones and click training.lab.
| 73 |
21. Double-click SP record to edit the value.
22. Remove the zero and click OK.
| 74 |
23. Verify the record is correct.
24. Now, we need to flush the proxy records on the NetScaler to ensure a new DNS query is
made for SharePoint.
25. Go to mRemoteNG console window and re-establish the SSH session with NS 1.
26. Ensure you are not in the shell.
Type the following command:
flush dns proxyRecords and hit Enter.
| 75 |
27. Next, type shell and hit Enter.
28. Run the Dig command to query the correct SharePoint IP address from DNS.
Type the command:
dig sp.training.lab and hit Enter.
29. The results shoud look like this:
root@ns# dig sp.training.lab
; <<>> DiG 9.8.4-P2 <<>> sp.training.lab
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45727
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;sp.training.lab. IN A
;; ANSWER SECTION:
sp.training.lab. 3600 IN A 192.168.10.14
;; Query time: 1 msec
;; SERVER: 127.0.0.2#53(127.0.0.2)
;; WHEN: Mon Jan 5 23:20:25 2015
;; MSG SIZE rcvd: 49
30. Notice the highlighted area. This is now showing the correct value.
| 76 |
31. Launch WorxWeb and try to access the SharePoint bookmark now.
Note: When launching WorxWeb, you may be prompted to enter the password (e.g.
Citrix123).
32. Congratulations, you have finished this lab exercise.
Exercise Summary
In this exercise students configured and installed WorxWeb to access intranet/internet sites from
the mobile device.
In addition, students had the opportunity to troubleshoot intranet access issues via WorxWeb. In
this scenario, WorxWeb was configured to use MicroVPN to send all the traffic to the NetScaler
| 77 |
Gateway. Hence, the NetScaler uses the SNIP/MIP address to contact the back-end resources
(e.g. DNS, Web servers, etc.) on behalf of the mobile device.
For more information on MicroVPN and XenMobile, check out this article -
http://support.citrix.com/article/CTX136914
| 78 |
Exercise 7
Unable to Access Mail via WorxMail on iOS
Overview
In this exercise, students will identify and fix why they cannot access mail via WorxMail for iOS.
Please note if you have an Android device, go to Exercise #8
During this part of the rollout, the IT Admin configured the XenMobile Server and WorxMail to use
the Secure Ticket Authority (STA) feature in order to save battery life on mobile devices. The goal
is to allow remote mobile users to launch WorxMail and be able to access mail from Exchange.
Here is the scenario explained by one of the end-users using iOS: “I access Worx Store to
download and install WorxMail. WorxMail installation is successful. I launch WorxMail, I enter the
address of the Exchange Server (e.g. mail.training.lab) and tap Save. Next, I received an error that
says:”
“Access to your company network is not currently available.”
Pre-requisites on your mobile device:
- Worx Home installed and configured as per previous Exercise #5.
- Mobile device with native email client registered to a personal or corporate mail account
(e.g. Yahoo, Outlook.com, Exchange, etc.) This is needed in order to extract the Worx Home
log files via email.
Tools to be used:
Students will leverage NetScaler commands to verify WorxMail connections, WorxMail logs to verify
what policies were configured on WorxMail and Notepad++ to find out what could be the root cause
issue of mail access.
Step by step guidance
Estimated time to complete this lab: 40 minutes.
Step Action
1. Let’s reproduce the end-user issue. From Worx Home for iOS, sign in as User1.
Username: user1
Password: Citrix123
| 79 |
2. Tap into Worx Store and tap into WorxMail to download and install it.
3. Launch WorxMail and type the mail server FQDN: mail.training.lab.
Tap Sign On.
4. Do you see any errors?
Tap OK.
5. Next step, let’s gathered the WorxMail log files from Worx Home.
Go back to Worx Home, swipe to the right until you reach the Support area.
| 80 |
6. Tap the envelope icon.
| 81 |
7. This should bring two options:
Gather logs from Worx Home and/or WorxMail. In our case, we’re interested on WorxMail
logs.
| 82 |
8. Tap into WorxMail iOS.
| 83 |
9. Before clicking Send Log you need to turn off the option Send using WorxMail.
This should then launch your native email client configured on your iOS device. Send
yourself an email with the log files so they can be examined.
10. From the Student Desktop, access your email mailbox (where you send the WorxMail log
files) and download them. You should have received a Logs.zip file.
Extract the files.
| 84 |
11. Navigate to the MDXApps folder and extract the WorxMail.zip file.
12. Navigate to the Diagnostics folder. Right-click the .CSV file and then select Edit with
Notepad++.
13. Next, press the Ctrl + F keys and enter the following keyword: agtunneler.
Click Find All Current Document.
14. In the Find Results, scroll down and search for a line similar to this one:
",AGTunneler,WARNING (3),"Failed to resolve gatewayDomain(ag.domain.lab) to ip
address;
15. Double-click the most current entry. We’re looking for the line that refers to the STA
tunneling.
Example:
",AGTunneler,INFO (4),"AG policy: Intercepting mail.training.lab:443 for STA tunneling"
| 85 |
16. Notice from the previous line, the Exchange Server FQDN (mail.training.lab:443) is
correctly defined, so why is NetScaler Gateway failing with this name resolution error?
“AGTunneler,WARNING (3),"Failed to resolve gatewayDomain(ag.domain.lab) to ip
address;
17. Next step is to check what policies were configured on WorxMail. The MDX policies will
provide us with all details regarding the STA configuration. These policy settings are
available in the WorxMail logs.
Let’s go back to the WorxMail logs and navigate to the
C:\Users\localuser\Downloads\Logs\MDXApps\WorxMail folder.
18. In the WorxMail folder, there is a file called CtxLog_AppPolicies.xml. This file contains
the WorxMail MDX policy settings configured on the XenMobile Server.
Right-click the CtxLog_AppPolicies.xml file and select Edit with Notepad++.
| 86 |
19. The XML tags of interest are:
<key>BackgroundServices</key> and <key>BackgroundServicesGateway</key>.
Do you see anything wrong with the BackgroundServicesGateway value?
20. Indeed! ag.domain.lab is non-existing.
The Background Services Gateway is the key value that holds the NetScaler Gateway
FQDN where WorxMail is proxying the STA ticket. Then, NetScaler Gateway will validate
the STA ticket with XenMobile Server and proxy the connection to the Exchange Server (ie.
mail.training.lab).
We need to modify this value on WorxMail and enter the PublicIP1 FQDN available on
your lab details page.
21. Next, let’s go to the XenMobile Server management console.
Log on as administrator.
Username: administrator
Password: Citrix123
| 87 |
22. Go to the Configure tab then select the Apps tab and select WorxMail and click the Edit
button (pencil icon).
23. Click the iOS tab under the Platform section. Scroll down to the Application Settings
area. You should see the wrong value assigned to Background network service
gateway.
24. In this field, you have to specify the PublicIP1 FQDN found on your lab details page along
with the port number (e.g. 443).
Example:
Background network service gateway: 75-126-154-53.mycitrixtraining.net:443
Click Save.
| 88 |
25. Before testing, let’s check the NetScaler Gateway configuration too.
On the Student Desktop, open Internet Explorer, select the NetScaler bookmark to login
to the management console.
Log on with nsroot credentials.
Username: nsroot
Password: nsroot
26. On NetScaler management console, go to NetScaler Gateway > Virtual Servers >
double-click the _XM_XenMobileGateway virtual server to open it.
27. Go to the Published Applications section on the right and click on the STA Server
section.
Notice that it says No STA Server!
| 89 |
28. Enter the PublicIP2 FQDN with Port 8443 defined and choose IPV4 as the STA Server
Address Type and then click Bind.
29. Validate that STA URL matches your XenMobile Server PublicIP2 FQDN and has an Up
status. For WorxMail STA feature to work you must have the XenMobile Server FQDN
over port 8443.
30. Next, let’s clear any active sessions on the NetScaler Gateway before we test.
Click on NetScaler Gateway > Active user sessions.
31. Click Continue to show all active user session then click Terminate.
Click Done.
| 90 |
32. Now, let’s test! On your iOS device, kill the WorxMail and Worx Home processes that are
running. In order for this new change take effect on WorxMail that is already installed, we
need to log on again through Worx Home.
Log on as User1.
Username: user1
Password: Citrix123
33. Tap into WorxMail iOS.
34. Enter the Exchange Server Address: mail.training.lab. Tap Sign On.
| 91 |
35. Next, you should be prompted for user1 credentials.
Password: Citrix123
Domain: training.lab
Tap Sign On.
36. Verify whether or not emails are syncing. Try to send a new message from WorxMail.
Click New Message.
37. Enter the User One email address ([email protected]) and type test as part of the subject
and body message.
Tap Send.
| 92 |
38. To verify that you are truly using the STA feature instead of microVPN, go back to Worx
Home and Sign Off.
39. Switch back to WorxMail and send a New Message to yourself (ie. [email protected]).
40. To verify the WorxMail connection via NetScaler Gateway is working, launch a CLI session
to the NetScaler device.
Go to mRemoteNG console window and re-establish the SSH session with NS 1.
41. Log on as nsroot user.
Username: nsroot
Password: nsroot
| 93 |
42. Type sh icaConnection and press Enter. Do you see anything?
Of course you do! You should see a secure SOCKS proxy connection between the Client
(mobile device) and the Exchange Server.
Example:
Client IP: Mobile Device IP Address
CPS IP = Exchange Server IP address
CPS Port = 443 (ActiveSync port)
You can also see the same information from NetScaler management console under
NetScaler Gateway node > ICA connections.
43. Log off from Worx Home.
Exercise Summary
In this exercise, you were able to identify and fix why mobile users using iOS devices were not able to sync email via WorxMail and using the Secure Ticket Authority (STA) feature from XenMobile. When IT Admins configure NetScaler Gateway, XenMobile Server and WorxMail using STA, it is necessary to enter the correct information.
| 94 |
On NetScaler, define the Secure Ticket Authority (STA) pointing to the XenMobile Server over port 8443:
On the XenMobile Server, define the background services correctly:
Background network services: Exchange Server FQDN:port. Example: Background network services: mail.training.lab:443 Background network service gateway: NetScaler Gateway FQDN:port Example: Background network service gateway: 75-126-147-85.mycitrixtraining.net:443 For more information regarding the differences between microVPN vs. STA for WorxMail connections, refer to this blog - http://blogs.citrix.com/2013/09/16/improving-battery-life-with-worxmail-sta-to-the-rescue/.
| 95 |
Exercise 8
Unable to Access Mail via WorxMail on Android
Overview
In this exercise students will identify and fix why they cannot access mail via WorxMail for Android.
During this part of the rollout, the IT Admin configured the XenMobile Server and WorxMail to use
the Secure Ticket Authority (STA) feature in order to save battery life on mobile devices. The goal
is to allow remote mobile users to launch WorxMail and be able to access mail from Exchange.
There is no XenMobile Device Manager involved in this scenario.
Here is the scenario explained by one of the end-users using Android: “I access Worx Store to
download and install WorxMail. WorxMail installation is successful. I launch WorxMail, I enter my
email address and password. Tap Save. Next, I received an error that says:”
“Error while establishing connection to server.”
I tap Try Again, and enter the Exchange Server FQDN (ie. mail.training.lab) and tap Next. Error
displayed:
“Access to your company network is not currently available.”
Pre-requisites on your mobile device:
- Worx Home installed configured as per previous Exercise #3.
- Mobile device with native email client registered to a personal or corporate mail account
(e.g. Yahoo, Outlook.com, Exchange, etc.) This is needed in order to extract the Worx Home
log files via email.
Tools to be used:
Students will leverage NetScaler commands to verify WorxMail connections, WorxMail logs to verify
what policies were configured on WorxMail and Notepad++ to find out what could be the root cause
issue of mail access.
| 96 |
Step by step guidance
Estimated time to complete this lab: 40 minutes.
Step Action
1. Let’s reproduce the end-user issue. From Worx Home for Android, sign in as User1.
Username: user1
Password: Citrix123
| 97 |
2. Tap into Worx Store and tap WorxMail to download and install it.
| 98 |
3. Launch WorxMail and enter the email address of User1 and password.
Email address: [email protected]
Password: Citrix123
Tap Next.
4. What error message do you see?
Tap Try Again.
| 99 |
5. Enter the mail server FQDN: mail.training.lab.
Tap Next.
6. What error message do you see?
Tap Try Again.
| 100 |
7. We need to verify all of the NetScaler Gateway settings. We will use a Citrix Diagnosis
Tool called Cerebro to validate the XenMobile configuration on the NetScaler Gateway.
On the Student Desktop, open the folder CEREBRO and right click on
CEREBROUI.exe. Click Run as administrator.
8. Click Online Analysis.
| 101 |
9. Enter the following information:
NetScaler Management IP: 192.168.10.50
Username: nsroot
Password: nsroot
Click Start Analysis.
10. Notice the STA configuration shows up as “Not Configured”.
Let’s take a look at the NetScaler Gateway configuration.
| 102 |
11. On the Student Desktop, open Internet Explorer, select the NetScaler bookmark to log
on to the management console.
Log on with nsroot credentials.
Username: nsroot
Password: nsroot
12. On NetScaler management console, go to NetScaler Gateway > Virtual Servers >
double-click the _XM_XenMobileGateway virtual server to open it.
13. Go to the Published Applications section on the right and click on the STA Server
section.
Notice that it says No STA Server!
| 103 |
14. Enter the PublicIP2 FQDN with Port 8443 defined and choose IPV4 as the STA Server
Address Type and then click Bind.
15. Validate that STA URL matches your XenMobile Server PublicIP2 FQDN and has an Up
status. For WorxMail STA feature to work you must have the XenMobile Server FQDN
over port 8443.
16. Next, let’s clear any active sessions on the NetScaler Gateway before we test.
Click on NetScaler Gateway > Active user sessions.
17. Click Terminate.
Click Close.
| 104 |
18. Before we test again, go back to the Cerebro Tool and run the analysis again.
Notice that the STA configuration is now validated successfully.
19. Now, let’s test! On your Android device, kill/close the running WorxMail process. In order
for this new change take effect, we need to log on again through Worx Home.
Log on as User1.
Username: user1
Password: Citrix123
| 105 |
20. Tap into WorxMail Android.
21. Enter the User1 email address and password.
Email Address: [email protected]
Password: Citrix123
Tap Next.
| 106 |
22. Do you get any errors?
I’m afraid yes. The error expected is this:
“Error while establishing connection to server.”
This error happens because WorxMail is trying to leverage Exchange auto discover
service. This lab environment is not configured for Exchange auto discovery.
Tap Try Again to enter the Exchange Server FQDN.
23. In the Server field, enter the Exchange Server FQDN: mail.training.lab.
Tap Next.
| 107 |
24. Once WorxMail is configured, test if you can send/receive emails.
Tap in the New Message icon.
Send yourself (ie. User1) an email. Enter User One email address ([email protected])
and type test as part of the subject and body message.
Tap Send.
25. To verify that you are truly using the STA feature instead of microVPN, go back to Worx
Home and Sign Off.
26. Switch back to WorxMail and send a New Message to yourself (ie. [email protected]).
| 108 |
27. To verify the WorxMail connection via NetScaler Gateway is working, launch a CLI
session to the NetScaler device.
Go to mRemoteNG console window and re-establish the SSH session with NS 1.
28. Log on as nsroot user.
Username: nsroot
Password: nsroot
| 109 |
29. Type sh icaConnection and press Enter. Do you see anything?
Of course you do! You should see a secure SOCKS proxy connection between Client
(mobile device) and Exchange Server.
Example:
Client IP: Mobile Device IP Address
CPS IP = Exchange Server IP address
CPS Port = 443 (ActiveSync port)
You can also see the same information from NetScaler management console under
NetScaler Gateway > ICA connections.
30. Log off from Worx Home.
Exercise Summary
In this exercise, you were able to identify and fix why mobile users using Android devices were not able to sync email via WorxMail and use the Secure Ticket Authority (STA) feature from XenMobile. When IT Admins configure NetScaler Gateway, XenMobile Server and WorxMail using STA, it is necessary to enter the correct information:
| 110 |
On NetScaler, define the Secure Ticket Authority (STA) pointing to the XenMobile Server:
On XenMobile Server, define the background services correctly:
Background network services: Exchange Server FQDN:port. Example: Background network services: mail.training.lab:443 Background network service gateway: NetScaler Gateway FQDN:port Example: Background network service gateway: 75-126-147-85.mycitrixtraining.net:443 For more information regarding the differences between microVPN vs. STA for WorxMail
connections, refer to this blog - http://blogs.citrix.com/2013/09/16/improving-battery-life-with-
worxmail-sta-to-the-rescue/.
| 111 |
Exercise 9
Unable to Enumerate HDX Apps
Overview
In this exercise students will try to enumerate HDX Apps (e.g. Windows apps/desktops) via Worx
Home.
At this point, students should have noticed that only WorxWeb is being displayed inside Worx Store,
and no Windows apps or desktops are enumerated.
Note: For this exercise, students are not required to launch HDX apps from their mobile device. The
goal of this exercise is to fix app enumeration.
Step by step guidance
Estimated time to complete this lab: 20 minutes.
Step Action
iOS Android
1. Launch Worx Home and validate that no
Windows apps/desktops are displayed.
Launch Worx Home and validate that no
Windows apps/desktops are displayed.
2. Let’s find out what is the issue.
Open Chrome browser and click the XenMobile Server bookmark.
| 112 |
3. At the Certificate warning prompt, click Proceed to 192.168.10.20 (unsafe).
4. Login with the following credentials:
Username: administrator
Password: Citrix123
Click Sign in.
5. Click the tool icon.
| 113 |
6. Under Log Operations > click Logs.
7. Let’s open the DebugLog file to check what could be the root cause of not being able to
see HDX apps via Worx Home.
Select DebugLog > click View.
8. Hit Ctrl + F to find the following keyword PNAgent.
| 114 |
9. What errors do you see?
2015-01-05T19:20:50.27-0800 | e444a54f6788636e | INFO | http-nio-18443-exec-1 | com.citrix.cg.bo.GenericPNAMgr |
PNA Web Service URL:http://192.168.10.40:80/Citrix/Store/PNAgent/config.xml
2015-01-05T19:20:50.34-0800 | e444a54f6788636e | ERROR | http-nio-18443-exec-1 | com.citrix.cg.bo.GenericPNAMgr |
Unable to get the element data //Request/Enumeration/Location/text()
2015-01-05T19:20:50.34-0800 | e444a54f6788636e | DEBUG | http-nio-18443-exec-1 | com.citrix.cg.bo.GenericPNAMgr |
Before replacing Host and Port
2015-01-05T19:20:50.34-0800 | e444a54f6788636e | DEBUG | http-nio-18443-exec-1 | com.citrix.cg.bo.GenericPNAMgr |
Creating PNA DAO instance ...
2015-01-05T19:20:50.35-0800 | e444a54f6788636e | DEBUG | http-nio-18443-exec-1 | com.citrix.cg.bo.GenericPNAMgr |
PNA Details Host: 192.168.10.40, Path: /Citrix/Store/PNAgent/config.xml
2015-01-05T19:20:50.35-0800 | e444a54f6788636e | ERROR | http-nio-18443-exec-1 | com.citrix.cg.bo.GenericPNAMgr |
PNA MalformedURLException no protocol:
2015-01-05T19:20:50.35-0800 | e444a54f6788636e | DEBUG | http-nio-18443-exec-1 | com.citrix.cg.bo.GenericPNAMgr |
PNA generatePNAServiceURL null URL : {}
10. We can definitely determine that XenMobile Server is unable to query the config.xml file
in the StoreFront server to enumerate HDX apps.
This particular error provides a clue: PNA MalformedURLException no protocol:
This could mean that IIS is not working properly on StoreFront? Let’s investigate.
11. Go to the mRemoteNG console window and double-click the DDC VM.
12. Go to the Start menu.
| 115 |
13. Click IIS Manager console.
14. Navigate to the Sites node.
15. It is clear that the IIS site is UP (check the Status column).
However, there is something different in the next column (ie. Binding).
| 116 |
16. Bingo! There is a Host Header value defined. This means that only incoming requests to
http://ddc.training.lab will be processed. Anything else is not.
If you remember, we configured the XenApp/XenDesktop settings on XenMobile Server
like this (from Exercise 4):
17. Let’s go back to XenMobile Server > Settings > More > click XenApp/XenDesktop.
Change the Host value to ddc.training.lab.
18. Click Save.
| 117 |
19. Let’s Test!
Launch Worx Home on your mobile device. You can Sign Off and Sign On again to
re-enumerate the application list.
iOS:
Android:
| 118 |
20. BONUS!
If you would like to test HDX app launch on the mobile device, here are some missing
pieces in this deployment that you need configure on our own:
- There is no XenApp/XenDesktop defined as STA on the NetScaler Gateway.
- There is no Remote Access configured on StoreFront.
If you get stuck during the configuration of StoreFront, please consult with the instructor
or one of the facilitators for further assistance.
21. Congratulations, you have finished this lab exercise.
Exercise Summary
In this exercise students troubleshoot the issue of not being able to enumerate HDX apps via Worx
Home.
It is important to remember that XenMobile queries the PNAgent services site (e.g.
/PNAgent/config.xml) file from StoreFront to enumerate Windows apps/desktop from
XenApp/XenDesktop respectively.
As a reminder, XenMobile Server 10 does not allow StoreFront to be deployed in-front of the
XenMobile solution anymore. Instead, XenMobile Server 10 needs to contact the StoreFront (or
Web Interface) server using the PNAgent services site.
| 119 |
Revision: Change Description Updated By Date
1.0 Original Version Adolfo Montoya and
Justin Maeder May 2015
About Citrix
Citrix (NASDAQ:CTXS) is a cloud company that enables mobile workstyles—empowering people to
work and collaborate from anywhere, securely accessing apps and data on any of the latest
devices, as easily as they would in their own office. Citrix solutions help IT and service providers
build clouds, leveraging virtualization and networking technologies to deliver high-performance,
elastic and cost-effective cloud services. With market-leading cloud solutions for mobility, desktop
virtualization, networking, cloud platforms, collaboration and data sharing, Citrix helps organizations
of all sizes achieve the speed and agility necessary to succeed in a mobile and dynamic world.
Citrix products are in use at more than 330,000 organizations and by over 100 million users
globally. Annual revenue in 2012 was $2.59 billion. Learn more at www.citrix.com.
| 120 |